From 67bd338380a77b946966e7be2f3fe3778e87c1d3 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Thu, 1 Feb 2018 16:57:38 +0100
Subject: dashboard/app: show jobs/managers/logs only for admin

That's not very interesting for anybody other than admins.
---
 dashboard/app/handler.go | 36 ++++++++++++++++++++++++++++++------
 1 file changed, 30 insertions(+), 6 deletions(-)

(limited to 'dashboard/app/handler.go')

diff --git a/dashboard/app/handler.go b/dashboard/app/handler.go
index 91d0210c7..c7bbde23c 100644
--- a/dashboard/app/handler.go
+++ b/dashboard/app/handler.go
@@ -20,6 +20,14 @@ import (
 
 // This file contains common middleware for UI handlers (auth, html templates, etc).
 
+type AccessLevel int
+
+const (
+	AccessPublic AccessLevel = iota + 1
+	AccessUser
+	AccessAdmin
+)
+
 type contextHandler func(c context.Context, w http.ResponseWriter, r *http.Request) error
 
 func handlerWrapper(fn contextHandler) http.Handler {
@@ -41,12 +49,11 @@ func handleContext(fn contextHandler) http.Handler {
 
 func handleAuth(fn contextHandler) contextHandler {
 	return func(c context.Context, w http.ResponseWriter, r *http.Request) error {
-		u := user.Current(c)
-		if u == nil {
-			return fmt.Errorf("sign-in required")
-		}
-		if !u.Admin && (u.AuthDomain != "gmail.com" ||
-			!strings.HasSuffix(u.Email, config.AuthDomain)) {
+		if accessLevel(c, r) == AccessPublic {
+			u := user.Current(c)
+			if u == nil {
+				return fmt.Errorf("sign-in required")
+			}
 			log.Errorf(c, "unauthorized user: domain='%v' email='%v'", u.AuthDomain, u.Email)
 			return fmt.Errorf("%v is not authorized to view this", u.Email)
 		}
@@ -54,6 +61,23 @@ func handleAuth(fn contextHandler) contextHandler {
 	}
 }
 
+func accessLevel(c context.Context, r *http.Request) AccessLevel {
+	if user.IsAdmin(c) {
+		switch r.FormValue("access") {
+		case "public":
+			return AccessPublic
+		case "user":
+			return AccessUser
+		}
+		return AccessAdmin
+	}
+	u := user.Current(c)
+	if u == nil || u.AuthDomain != "gmail.com" || !strings.HasSuffix(u.Email, config.AuthDomain) {
+		return AccessPublic
+	}
+	return AccessUser
+}
+
 func serveTemplate(w http.ResponseWriter, name string, data interface{}) error {
 	buf := new(bytes.Buffer)
 	if err := templates.ExecuteTemplate(buf, name, data); err != nil {
-- 
cgit mrf-deployment